Date released: 28.05.2007
Date reported: 05.10.2007
$Revision: 1.1 $
by Alexander Klink
Cynops GmbH
[email protected]
https://www.cynops.de/advisories/CVE-2007-6521.txt
(S/MIME signed: https://www.cynops.de/advisories/CVE-2007-6521-signed.txt)
https://www.klink.name/security/aklink-sa-2008-006-opera-heap-overflow.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6521
Vendor: Opera Software ASA
Product: Opera
Website: http://www.opera.com
Vulnerability: heap-based buffer overflow
Class: remote
Status: patched (mostly)
Severity: moderate (denial of service, possibly code execution)
Releases known to be affected: 9.23, 9.24
Releases known NOT to be affected: 9.25
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:
Opera is a closed-source cross-platform web browser with a market
share of about 1-2%.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:
When connecting to a TLS-protected website, Opera parses the X.509
certificate including the so-called "subject alternative names".
Using a certificate with a specially crafted subject alternative name,
an attacker can trigger a heap-based buffer overflow in Opera which
leads to denial of service (application crashes) or arbitrary code
execution.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:
The heap buffer overflow apparently occurs when creating a string that
is supposed to tell the user that the server name does not match the
DNS subject alternative name in the X.509 certificate.
In the most trivial case (a DNS subject alternative name of "l" x 50000,
for example), this leads to a crash in the following code (using Opera
9.24 on Windows XP SP2):
67AB756A |. 8B0D CC01F967 MOV ECX,DWORD PTR DS:[67F901CC]
67AB7570 |. 8B01 MOV EAX,DWORD PTR DS:[ECX]
67AB7572 |. FF50 10 CALL DWORD PTR DS:[EAX+10]
with EAX = 0x006C006C, i.e. the wchar representation of 'll'.
This basically means that an attacker can redirect the code execution
to where he wants, for example to code he placed on the stack.
Unfortunately, the DNS subject alternative names are stored as
IA5Strings in the certificate, so the addresses one can call from
are limited to 0x00??00?? (+10), which somewhat limits exploitability.
Fortunately, JavaScript heap spraying has proven to be effective
to spray to such address, from where on the exploit can continue.
Turning the above into a working and stable exploit is left as an
exercise to the interested reader :-)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:
Update to Opera 9.25. This has also been patched in Opera Mini at the
time of the desktop release. It is still unpatched on one particular
platform, though.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:
–
Dipl.-Math. Alexander Klink | IT-Security Engineer | [email protected]
mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de
----------------------------±---------------------±--------------------
HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer:
Bad Homburg v. d. Höhe | | Martin Bartosch
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/